Full Disclosure mailing list archives
Wimpy MP3 Player - Text file overwrite vulnerability
From: Scott Dewey <wr0ck.lists () gmail com>
Date: Wed, 15 Feb 2006 20:55:15 -0500
======================================================================================= XOR Crew :: Security Advisory 2/10/2006 ======================================================================================= Wimpy MP3 Player - Text file overwrite. (lame) ======================================================================================= http://www.xorcrew.net/ http://www.xorcrew.net/ReZEN/ ======================================================================================= :: Summary Vendor : Plaino Inc. Vendor Site : http://www.wimpyplayer.com/ Product(s) : Wimpy MP3 PLayer Version(s) : All Severity : Low Impact : trackme.txt overwrite Release Date : 2/10/2006 Credits : ReZEN (rezen (a) xorcrew (.) net) ======================================================================================= I. Description Wimpy provides a simple, clean, enjoyable listening experience for your website's visitors. Lists and plays an entire directory full of mp3 files automatically. ======================================================================================= II. Synopsis The file wimpy_trackplays.php does not check the variables passed to it prior to writing the contents of those variables to trackme.txt. That allows us to write anything we want to trackme.txt. This is not really a problem for the server running wimpy. The problem lies in the fact that being able to write to trackme.txt allows the attacker a jump off point for other Remote Command Execution Bugs that read from text files. These bugs are quite common and thus wimpy aids the attacker in staying annonymous. Example: http://www.site.com/pathtowimpy/goodies/wimpy_trackplays.php?myAction=trackplays &trackFile=<?php&trackArtist=system("uname -a;id;");&trackTitle=?> that writes: <?php system("uname -a;id;"); ?> to trackme.txt. Then all the attacker has to do is point is RCE exploit to trackme.txt and there you have it. So yeah lame vuln but interesting. Peace out. ======================================================================================= IV. Greets :> All of xor, Infinity, stokhli, ajax, gml, cijfer, my beautiful girlfriend. =======================================================================================
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Wimpy MP3 Player - Text file overwrite vulnerability Scott Dewey (Feb 15)